DroopyCTF Walkthrough

Preparation:

Download the DroopyCTF virtual machine from the following website:

https://www.vulnhub.com/entry/droopy-v02,143/

1. Scan the network to find the IP address of the DroopyCTF server.

netdiscover -r 10.0.0.0/

2. Scan the DroopyCTF server using Nmap to find some potential vulnerabilities.

TCP Scan 1:

nmap -Pn -sS --stats-every 3m --max-retries  --max-scan-delay  --defeat-rst-ratelimit -T4 -p1- -oN /root/Delete/tcp1.txt 10.0.0.30

TCP Scan 2:

nmap -nvv -Pn- -sSV -p  --version-intensity  -A -oN /root/Delete/tcp2.txt 10.0.0.30

UDP Scan:

map -Pn --top-ports  -sU --stats-every 3m --max-retries  -T3 -oN /root/Delete/udp.txt 10.0.0.30

3. Browse the website(http://10.0.0.30/) through Firefox. Nothing valuable find in the source page.

Browse the website(http://10.0.0.30/robots.txt) through Firefox.

Browse the website(http://10.0.0.30/CHANGELOG.txt) through Firefox and try to find some vulnerabilities.

Try to find some exploit guider related to Drupal 7.0 in the Exploit Database. Download the exploit code

https://www.exploit-db.com/exploits/34992

We can also find some exploit titles on Kali Linux locally.

searchsploit drupal

We can also try to search for exploit modules related to drupal in Metasploit.

search drupal

4. Let's try to exploit the target server with Metasploit.

Use the exploit/multi/http/drupal_drupageddon module and show the information. It should be work.

Set the parameters and start to exploit. We have the shell.

Find the information of droopy server.

Try to find some exploit guider related to Linux Kernel 3.13.0 in the Exploit Database. Download the exploit code.

https://www.exploit-db.com/exploits/37292

Copy the code to the /var/www/html folder on Kali Linux, then download to the Droopy server.

Try to search the tty shell escapte cheat sheet on the Internet. https://netsec.ws/?p=337

python -c 'import pty; pty.spawn("/bin/sh")'

5. Download the exploit source code to /tmp folder on Droopy server. Compile and execute the exploit file.

Get the root privilege successfully.

OSCP Learning Notes - Capstone(3)的更多相关文章

  1. OSCP Learning Notes - Capstone(4)

    SickOS 1.2 Walkthrough Preparation: Down load the SickOS virtual machines from the following website ...

  2. OSCP Learning Notes - Capstone(2)

    BTRSys v2.1 Walkthrough Preparation: Download the BTRSys virtual machine from the following website: ...

  3. OSCP Learning Notes - Capstone(1)

    Kioptrix Level 1.1 Walkthrough Preparation: Download the virtual machine  from the following website ...

  4. OSCP Learning Notes - Overview

    Prerequisites: Knowledge of scripting languages(Bash/Pyhon) Understanding of basic networking concep ...

  5. OSCP Learning Notes - Buffer Overflows(3)

    Finding Bad Characters 1. Find the bad charaters in the following website: https://bulbsecurity.com/ ...

  6. OSCP Learning Notes - Buffer Overflows(2)

    Finding the Offset 1. Use the Metasploite pattern_create.rb tool to create 5900 characters. /usr/sha ...

  7. OSCP Learning Notes - Buffer Overflows(1)

    Introduction to Buffer Overflows Anatomy of Memory Anatomy of the Stack Fuzzing Tools: Vulnserver -  ...

  8. OSCP Learning Notes - Netcat

    Introduction to Netcat Connecting va Listening Bind Shells Attacker connects to victim on listening ...

  9. OSCP Learning Notes - Enumeration(4)

    DNS Enumeration 1. Host Tool host is a simple utility for performing DNS lookups. It is normally use ...

随机推荐

  1. cb05a_c++_STL优先级队列priority_queue_less_greater

    /*cb05a_c++_STL优先级队列priority_queue自适应容器(容器适配器):不能使用list,list不能使用随机操作最大值优先级队列,//把数据放在队列里面是,最大的始终都是放在最 ...

  2. 黎活明8天快速掌握android视频教程--16_采用SharedPreferences保存用户偏好设置参数

    SharedPreferences保存的数据是xml格式,也是存在数据保存的下面四种权限: 我们来看看 我们来看看具体的业务操作类: /** * 文件名:SharedPrecences.java * ...

  3. win10使用WSL 2运行Docker Desktop,运行文件从C盘迁移到其他目录

    前言 前几天重装系统,把系统升到了Windows 10 2004,然后在安装Docker Desktop(2.3.0.3版本)时发现跟以前不太一样了.现在Docker Desktop默认使用WLS 2 ...

  4. 3分钟理解NMS非极大值抑制

    1. NMS被广泛用到目标检测技术中,正如字面意思,抑制那些分数低的目标,使最终框的位置更准: 2. 假如图片上实际有10张人脸,但目标检测过程中,检测到有30个框的位置,并且模型都认为它们是人脸,造 ...

  5. MFC线程(二):线程同步临界区CRITICAL SECTION

    当多个线程同时使用相同的资源时,由于是并发执行,不能保证先后顺序.所以假如时一个公共变量被几个线程同时使用会造成该变量值的混乱. 下面来举个简单例子. 假如有一个字符数组变量 char g_charA ...

  6. Laravel表单验证提示设置多语言

    默认表单提示是英文的,我们可以安装语言包构建多语言环境. 根据版本选择命令 For Laravel 7.x : run composer require caouecs/laravel-lang:~6 ...

  7. springboot 整合retry(重试机制)

    当我们调用一个接口可能由于网络等原因造成第一次失败,再去尝试就成功了,这就是重试机制,spring支持重试机制,并且在Spring Cloud中可以与Hystaix结合使用,可以避免访问到已经不正常的 ...

  8. 一个ACE 架构的 Socket Client

    .h /************************************************************** * Filename: TcpClient.h * Copyrig ...

  9. 从别人的代码中学习golang系列--02

    这篇博客还是整理从https://github.com/LyricTian/gin-admin 这个项目中学习的golang相关知识 作者在项目中使用了https://github.com/googl ...

  10. css实现1px 像素线条_解决移动端1px线条的显示方式

    使用CSS 绘制出 1px 的边框,在移动端上渲染的效果会出现不同,部分手机发现1px 线条变胖了,这篇文章整理2种方式实现1px 像素线条. 1.利用box-shadow + transform & ...